Medical Oncology Hematology Consultants (MOHC), a Newark, DE-based cancer treatment center, is alerting certain patients that some of their protected health information (PHI) has been exposed as a result of an email security breach.

According to the substitute breach notice on the MOHC website, an email account was compromised between June 7 and June 8, 2018. It is unclear when MOHC learned of the breach, but its ‘extensive investigation’ concluded on March 14, 2019 that the breach had resulted in the exposure of patient information.

Third party computer forensics experts were engaged to conduct the investigation, which involved extensive coordination with the company that hosts its email environment. Data access and theft could not be ruled out, although no reports have been received to suggest any patient information has been misused.

Names, dates of birth, Social Security numbers, government ID numbers, financial account information, and health and medical information were exposed. All patients affected by the breach have been notified and offered 12 months of membership to credit monitoring and associated services at no cost.

Steps have been taken to improve email security including the use of a new, secure portal for the delivery of emails from external sources, additional malware blocking measures, a suspicious email reporting system, encryption of outgoing emails, and the provision of further security awareness training to employees. Notifications have also been set up to alert employees if they are attempting to send emails containing unencrypted sensitive information.

This is the second large data breach to be reported by MOHC in the past 2 years. In September 2017, MOHC announced that it was the victim of a ransomware attack that impacted 19,000 patients.

It is currently unclear how many patients have been affected by the latest security breach.

Health Net of California has discovered a coding error on a mailing has resulted in the impermissible disclosure of subscribers’ PHI.

The coding error was introduced on a mail merge which caused letters to be misaligned. As a result, the PHI of subscribers was printed on letters that were mailed to other subscribers. The coding error occurred on March 1 and affected mailings up until March 12, 2019.

As a result of the error, the following data elements were impermissibly disclosed: Name, date of birth, Health Net ID number, health plan name, group number, dependents’ names and ages, primary care physician’s name and address, and the last four digits of dependents’ social security numbers.

Health Net of California identified and corrected the coding error and has implemented additional procedures for future mailings, including several testing scenarios and the use of a checklist to make sure errors are found and corrected prior to letters being mailed.

It is currently unclear how many subscribers have been affected.

American Medical Response Alerts Patients About Email Breach

American Medical Response, a Greenwood Village, CO-based provider of emergency and patient relocation services, has discovered an unauthorized individual has gained access to the PHI of 4,300 patients who had previously used its ambulance service.

The information was contained in employee email accounts that were compromised as a result of a phishing attack. The compromised email accounts contained names, addresses, dates of birth, Social Security numbers, health insurance identifiers, and diagnostic and treatment information. The breach was limited to email accounts and no other systems or databases were subjected to unauthorized access.

While patients’ protected health information was potentially accessed, no reports have been received to suggest any patient information has been misused.

All patients affected by the breach have been notified by mail and have been offered complimentary credit monitoring services. American Medical Response has implemented additional security measures to reduce the risk of further email account breaches and employees have been provided with additional security awareness training.

Bloodworks Northwest Notifies Patients of PHI Exposure

The Seattle, WA-based blood bank and medical research institute, Bloodworks Northwest, is alerting 1,893 patients that some of their PHI has been exposed and potentially stolen.

On March 13, 2019, Bloodworks discovered a list containing patients’ names, dates of birth, and medical diagnoses had gone missing from an employee’s desk. Despite a search being performed, the list could not be located.

Peculiarly, the Notice of Data Privacy Event on the Bloodworks website says “While we are unaware of any misuse of the personal information in the impacted email account, we encourage you to remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports for suspicious activity.”

It is unclear whether this is an error or if an email account was also compromised. The breach report submitted to the HHS’ Office for Civil Rights suggests the breach solely involved the loss of paperwork.

About HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines. HIPAA Journal's goal is to assist HIPAA-covered entities achieve and maintain compliance with state and federal regulations governing the use, storage and disclosure of PHI and PII.